Home > Risk > Is your compliance program strong enough?

Is your compliance program strong enough?

My thanks to Maurice Gilbert, who shared news about guidance from the US Department of Justice (DOJ). It describes how investigators will assess an organization’s compliance program as part of an investigation into that company.

The DOJ Guidance, Evaluation of Corporate Compliance Programs, should be read and considered by all governance, compliance, risk, and audit practitioners.

Every organization should address every one of the Topics and underlying questions in the document.

Aspects I like include:

  • A focus on not just the tone but the conduct at the top
  • The stature, autonomy, empowerment, and funding of the compliance function
  • An assessment of the risk management activity, although the questions are a bit shallow
  • The independence and performance of investigations by the organization
  • Whether managers as well as employees are held accountable, and who participated in disciplinary decisions and actions
  • The role of internal audit
  • The consideration of how the actions of third parties, for example in outsourced operations or by agents, could affect compliance
  • Whether there is sufficient due diligence around compliance during M&A

While it would be easy to leave the assessment of compliance activities to internal audit, and I believe this is an area they should actively consider, senior management should take ownership of the need for an effective compliance program.

How does your organization stack up?

Would it pass an evaluation using this guidance?

Shouldn’t the board insist on a periodic assessment by executive management?

I welcome your comments.

Advertisements
  1. GSosbee
    March 7, 2017 at 7:17 AM

    Good review of an outline of Compliance issues that should already be addressed in any functioning ERM program. My only comment concerns your last comment “Shouldn’t the board insist on a periodic assessment by executive management?”

    The answer is absolutely. Any organization that is working under a true ERM program (as opposed to a “check-the-box” program) includes Compliance in the full ERM dashboard and reviews it at least once a year with either the full board or the Chairman of the Risk Committee.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: